HTTP logging requirements for university data

Overview

This article covers HTTP server logging requirements for applications processing UI data. Follow these guidelines to meet the standards for audit logging per ITS Standards for Data Classification, for APM 30.11.

Applications processing non-public U of I data should log information pertaining to each HTTP request. Most web server software has the capability to log HTTP request information, if your are running a custom application you may need to code logic to record request data.

Required logging information includes the following data points. This information improves security monitoring and investigation.

  • Timestamp
  • Client IP
  • Client Port
  • Client User Agent
  • Client X-Forwarded-For header value
  • Client Refer header value
  • HTTP status code
  • HTTP method
  • HTTP path
  • Bytes received
  • Bytes sent

Not all server platforms support all of these fields. For example, Apache Tomcat does not have a known method to log the bytes received.

Refer to the following UI ITS Security articles to configure compliant HTTP logging for several common web servers.